Vercel Data Breach Escalates: Prior Compromises Revealed

App and website hosting provider Vercel has disclosed that malicious actors accessed customer data through earlier compromises, indicating a broader security incident than initially understood. Evidence suggests these prior compromises occurred independently and predated the main breach, potentially through social engineering or malware.

Vercel's expanded investigation has uncovered a greater number of compromised customer accounts. The company has begun notifying affected customers, though specific details on the extent of the breach remain undisclosed. This update suggests the incident's scope and duration may be more significant than previously believed.

Initially, the breach was attributed to an employee downloading a compromised application from Context AI, which hackers then used to access the employee's work account and Vercel's systems. Vercel CEO Guillermo Rauch confirmed that the hackers' activities extended beyond the Context AI compromise.

Indications point towards hackers utilizing malware that targets computers for sensitive tokens, such as access keys for Vercel accounts and other services. These 'infostealers' can collect passwords and private keys, granting unauthorized system access. Rauch noted a pattern of rapid API usage following the acquisition of these keys, focused on enumerating non-sensitive environment variables.

The hijacked employee account was leveraged to access internal Vercel systems, including unencrypted customer credentials. Earlier reports suggested a Context AI employee's device was infected with infostealer malware after searching for game cheats, with compliance startup Delve reportedly having performed security certifications for Context AI.

The total number of affected Vercel customers remains unconfirmed. Both Vercel and Context AI have indicated that more companies may be impacted as investigations continue.